The Cyber Security Agency of Singapore (“CSA“) has published the Guide on Conducting Threat Identification and Assessing Effectiveness of Controls for Smart Buildings (“Guide“). The Guide aims to aid building owners and facility managers by providing:
- steps to identify threats that affect both cyber assets and physical safety;
- guiding principles to assess the effectiveness of controls implemented to protect cyber-physical systems (“CPS“); and
- actionable steps to protect the growing number of smart building systems connected to the Internet from cyber threats.
The Guide focuses on areas such as:
- recognising cyber-physical threats within building and automation systems;
- identifying assets with CPS considerations, including those arising when legacy systems are connected to new smart technologies; and
- identifying and assessing the effectiveness of controls for CPS.
Importantly, the Guide sets out how to conduct threat identification for CPS in smart buildings:
- Step 1: Define the scope
- Step 2: Identify assets and resources
- Step 3: Map out all the connected devices
- Step 4: Highlight critical assets and CPS
- Step 5: Analyse potential threats and vulnerabilities
- Step 6: Develop attack paths
- Step 7: Build threat scenarios
The Guide also provides a practical guidance to help stakeholders identify and assess the most effective mitigation controls for CPS:
- Understand the specific risks and impact of each CPS category.
- Evaluate the control’s ability to prevent the risk.
- Assess the control’s capability to detect and respond.
- Consider control feasibility and operational impact.
- Layer controls (defence-in-depth).
- Regularly validate control effectiveness.
- Prioritise controls based on business and safety impact.
Click on the following links for more information (available on the CSA website at www.csa.gov.sg):
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
